diff --git a/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs b/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs index 8ed29939b0..2427beabc6 100644 --- a/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs +++ b/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs @@ -13,9 +13,9 @@ use tokio::sync::{Mutex, RwLock}; use crate::{ vhost_user_blk::VhostUserBlkDevice, BlockConfig, BlockDevice, HybridVsockDevice, Hypervisor, - NetworkDevice, ShareFsDevice, VfioDevice, VhostUserConfig, VhostUserNetDevice, VsockDevice, - KATA_BLK_DEV_TYPE, KATA_CCW_DEV_TYPE, KATA_MMIO_BLK_DEV_TYPE, KATA_NVDIMM_DEV_TYPE, - VIRTIO_BLOCK_CCW, VIRTIO_BLOCK_MMIO, VIRTIO_BLOCK_PCI, VIRTIO_PMEM, + NetworkDevice, ProtectionDevice, ShareFsDevice, VfioDevice, VhostUserConfig, + VhostUserNetDevice, VsockDevice, KATA_BLK_DEV_TYPE, KATA_CCW_DEV_TYPE, KATA_MMIO_BLK_DEV_TYPE, + KATA_NVDIMM_DEV_TYPE, VIRTIO_BLOCK_CCW, VIRTIO_BLOCK_MMIO, VIRTIO_BLOCK_PCI, VIRTIO_PMEM, }; use super::{ @@ -250,7 +250,7 @@ impl DeviceManager { return Some(device_id.to_string()); } } - DeviceType::HybridVsock(_) | DeviceType::Vsock(_) => { + DeviceType::HybridVsock(_) | DeviceType::Vsock(_) | DeviceType::Protection(_) => { continue; } } @@ -386,6 +386,13 @@ impl DeviceManager { Arc::new(Mutex::new(ShareFsDevice::new(&device_id, config))) } + DeviceConfig::ProtectionDevCfg(pconfig) => { + // No need to do find device for protection device. + Arc::new(Mutex::new(ProtectionDevice::new( + device_id.clone(), + pconfig, + ))) + } }; // register device to devices diff --git a/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs b/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs index 6b6d23c839..34e2022b98 100644 --- a/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs +++ b/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs @@ -4,6 +4,7 @@ // SPDX-License-Identifier: Apache-2.0 // +mod protection_device; mod vfio; mod vhost_user; pub mod vhost_user_blk; @@ -13,6 +14,7 @@ mod virtio_fs; mod virtio_net; mod virtio_vsock; +pub use protection_device::{ProtectionDevice, ProtectionDeviceConfig, SevSnpConfig}; pub use vfio::{ bind_device_to_host, bind_device_to_vfio, get_vfio_device, HostDevice, VfioBusMode, VfioConfig, VfioDevice, diff --git a/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs b/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs new file mode 100644 index 0000000000..17e51a5724 --- /dev/null +++ b/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs @@ -0,0 +1,80 @@ +// Copyright (c) 2025 Red Hat +// +// SPDX-License-Identifier: Apache-2.0 +// + +use crate::{ + device::{topology::PCIeTopology, Device, DeviceType}, + Hypervisor as hypervisor, +}; +use anyhow::{Context, Result}; +use async_trait::async_trait; + +#[derive(Debug, Clone)] +pub enum ProtectionDeviceConfig { + SevSnp(SevSnpConfig), +} + +#[derive(Debug, Clone)] +pub struct SevSnpConfig { + pub is_snp: bool, + pub cbitpos: u32, + pub firmware: String, + pub certs_path: String, +} + +#[derive(Debug, Clone)] +pub struct ProtectionDevice { + pub device_id: String, + pub config: ProtectionDeviceConfig, +} + +impl ProtectionDevice { + pub fn new(device_id: String, config: &ProtectionDeviceConfig) -> Self { + Self { + device_id: device_id.clone(), + config: config.clone(), + } + } +} + +#[async_trait] +impl Device for ProtectionDevice { + async fn attach( + &mut self, + _pcie_topo: &mut Option<&mut PCIeTopology>, + h: &dyn hypervisor, + ) -> Result<()> { + h.add_device(DeviceType::Protection(self.clone())) + .await + .context("add protection device.")?; + + return Ok(()); + } + + // Except for attach() and get_device_info(), the rest of Device operations + // don't seem to make sense for proctection device. + async fn detach( + &mut self, + _pcie_topo: &mut Option<&mut PCIeTopology>, + _h: &dyn hypervisor, + ) -> Result> { + Ok(None) + } + + async fn update(&mut self, _h: &dyn hypervisor) -> Result<()> { + Ok(()) + } + + async fn get_device_info(&self) -> DeviceType { + DeviceType::Protection(self.clone()) + } + + async fn increase_attach_count(&mut self) -> Result { + Ok(false) + } + + async fn decrease_attach_count(&mut self) -> Result { + Ok(false) + } +} diff --git a/src/runtime-rs/crates/hypervisor/src/device/mod.rs b/src/runtime-rs/crates/hypervisor/src/device/mod.rs index 0a139c2f4c..dc4c31926b 100644 --- a/src/runtime-rs/crates/hypervisor/src/device/mod.rs +++ b/src/runtime-rs/crates/hypervisor/src/device/mod.rs @@ -9,8 +9,9 @@ use std::fmt; use crate::device::driver::vhost_user_blk::VhostUserBlkDevice; use crate::{ BlockConfig, BlockDevice, HybridVsockConfig, HybridVsockDevice, Hypervisor as hypervisor, - NetworkConfig, NetworkDevice, ShareFsConfig, ShareFsDevice, VfioConfig, VfioDevice, - VhostUserConfig, VhostUserNetDevice, VsockConfig, VsockDevice, + NetworkConfig, NetworkDevice, ProtectionDevice, ProtectionDeviceConfig, ShareFsConfig, + ShareFsDevice, VfioConfig, VfioDevice, VhostUserConfig, VhostUserNetDevice, VsockConfig, + VsockDevice, }; use anyhow::Result; use async_trait::async_trait; @@ -35,6 +36,7 @@ pub enum DeviceConfig { VfioCfg(VfioConfig), VsockCfg(VsockConfig), HybridVsockCfg(HybridVsockConfig), + ProtectionDevCfg(ProtectionDeviceConfig), } #[derive(Debug, Clone)] @@ -47,6 +49,7 @@ pub enum DeviceType { ShareFs(ShareFsDevice), HybridVsock(HybridVsockDevice), Vsock(VsockDevice), + Protection(ProtectionDevice), } impl fmt::Display for DeviceType { diff --git a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs index 3b381f23da..f3f46b90c5 100644 --- a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs +++ b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs @@ -96,7 +96,7 @@ impl DragonballInner { .context("add vhost-user-net device")?; Ok(DeviceType::VhostUserNetwork(dev)) } - DeviceType::Vsock(_) => todo!(), + DeviceType::Vsock(_) | DeviceType::Protection(_) => todo!(), } }